IPSECKEY RRs?
Hi Does anyone have experience with a IPSECKEY RR? Especially how to make one? Why do I need one, you ask? Well, it's my best guest. I have to create a site2site vpn tunnel between a Westermo GPRS-Modem and a Checkpoint Firewall, and the Modem does not accept the certificate. Instead it logs: no RSA public key known for '62.99.190.155'; DNS search for KEY failed (failure querying DNS for KEY of 155.190.99.62.in-addr.arpa.: Host name lookup failure) I found an example of such an RR on the interwebs, it looks like this: 38.2.0.192.in-addr.arpa. 7200 IN IPSECKEY ( 10 1 2 192.0.2.38 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== ) My BIND 9.8.2 accepts this record, but of course I need the correct one, not the example. So, does anyone know how to convert the public key of my certificate into a signature like this? Here some additional information: Logentries of the Mestermo MRD-310: 84Dec 18 16:51:25 pluto[16214]: VPN_ASA_TM0 #1: Main mode peer ID is ID_IPV4_ADDR: '62.99.190.155' 84Dec 18 16:51:25 pluto[16214]: VPN_ASA_TM0 #1: issuer cacert not found 84Dec 18 16:51:25 pluto[16214]: VPN_ASA_TM0 #1: X.509 certificate rejected 84Dec 18 16:51:25 pluto[16214]: VPN_ASA_TM0 #1: issuer cacert not found 84Dec 18 16:51:25 pluto[16214]: VPN_ASA_TM0 #1: X.509 certificate rejected 84Dec 18 16:51:26 pluto[16214]: VPN_ASA_TM0 #1: no RSA public key known for '62.99.190.155'; DNS search for KEY failed (failure querying DNS for KEY of 155.190.99.62.in-addr.arpa.: Host name lookup failure) 84Dec 18 16:51:26 pluto[16214]: VPN_ASA_TM0 #1: sending encrypted notification INVALID_KEY_INFORMATION to 62.99.190.155:500 IPSECKEY rfc: https://tools.ietf.org/html/rfc4025 Thanks! --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at WienIT EDV Dienstleistungsgesellschaft mbH Co KG, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255974h, Handelsgericht Wien, DVR: 2109667, UID-Nr. ATU61260824 Persönlich haftender Gesellschafter: WienIT EDV Dienstleistungsgesellschaft mbH, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255649f, Handelsgericht Wien, UID-Nr. ATU61296118 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 10 - 1.0.0 Beta Release
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 BIND 10 - 1.0.0 Beta Release Welcome to the first beta toward the first production BIND 10 1.0.0 release. BIND 10 provides a C++ library for DNS (with python wrappers) and several cooperating daemons for providing authoritative DNS service (with in-memory and SQLite3 backends and DNSSEC support), dynamic DNS, zone transfers, forwarding, and experimental recursive name service. It also provides DHCPv4 and DHCPv6 servers and a C++ library for DHCP. Supplementary components are included for statistics collection and reporting and remote configuration and control. The DNS highlights since the second alpha release include: - - New C++ (with Python wrapper) DNS master zone file parser. - - Rewritten command-line zone loader tool (for loading into SQLite3 database). The DHCP highlights include: - - Implements definitions for most of the DHCPv4 and DHCPv6 standard options. (Option definitions are used to validate contents of options received by a server and to create instances of options being sent to a client.) - - Added support for expired leases in b10-dhcp6. Note that the new b10-loadzone has different command-line syntax and the TSIG configuration for b10-xfrin has changed. Also, the default configuration location changed from ${PREFIX}/var/bind10-devel/ to ${PREFIX}/var/bind10/ and default shared files changed from ${PREFIX}/share/bind10-devel/ to ${PREFIX}/share/bind10/; if upgrading from a previous version, you may need to move and update your configurations. We are looking for testers to provide feedback about using this beta release. For more information about BIND 10, the release schedule, and the community testing plans, please see: http://bind10.isc.org/wiki/ProductionRelease Documentation is included and also available via the BIND 10 website at http://bind10.isc.org/ The bind10-1.0.0-beta source may be downloaded from: ftp://ftp.isc.org/isc/bind10/1.0.0-beta/bind10-1.0.0-beta.tar.gz A PGP signature of the distribution is at ftp://ftp.isc.org/isc/bind10/1.0.0-beta/bind10-1.0.0-beta.tar.gz.sha512.asc The signature was generated with the ISC public key, which is available at https://www.isc.org/about/openpgp Users and developers are encouraged to participate on the BIND 10 mailing lists. Please provide your feedback: https://lists.isc.org/mailman/listinfo/bind10-users https://lists.isc.org/mailman/listinfo/bind10-dev Bugs may be reported as tickets via the developers website (after logging into Trac): http://bind10.isc.org/ A summary of the significant changes since the previous release include (from the ChangeLog): 533.[build]*jreed Changed the package name in configure.ac from bind10-devel to bind10. This means the default sub-directories for etc, include, libexec, share, share/doc, and var are changed. If upgrading from a previous version, you may need to move and update your configurations or change references for the old locations. (git bf53fbd4e92ae835280d49fbfdeeebd33e0ce3f2) 532.[func] marcin Implemented configuration of DHCPv4 option values using the configuration manager. In order to set values for the data fields carried by a particular option, the user specifies a string of hexadecimal digits that is converted to binary data and stored in the option buffer. A more user-friendly way of specifying option content is planned. (Trac #2544, git fed1aab5a0f813c41637807f8c0c5f8830d71942) 531.[func] tomek b10-dhcp6: Added support for expired leases. Leases for IPv6 addresses that are past their valid lifetime may be recycled, i.e. rellocated to other clients if needed. (Trac #2327, git 62a23854f619349d319d02c3a385d9bc55442d5e) 530.[func]* team b10-loadzone was fully overhauled. It now uses C++-based zone parser and loader library, performing stricter checks, having more complete support for master file formats, producing more helpful logs, is more extendable for various types of data sources, and yet much faster than the old version. In functionality the new version should be generally backwards compatible to the old version, but there are some incompatibilities: name fields of RDATA (in NS, SOA, etc) must be absolute for now; due to the stricter checks some input that was (incorrectly) accepted by the old version may now be rejected; command line options and arguments are not compatible. (Trac #2380, git 689b015753a9e219bc90af0a0b818ada26cc5968) 529.[func]* team The in-memory data source now uses a more complete master file parser to load textual zone files. As of this change it supports multi-line RR representation and more complete
Local Lookups Fail When the Net is down.
We are using BIND 9.7.7 with recursion. Our boarder router temporarily failed completely isolating our campus from the rest of the internet. During that time, it was impossible to do local lookups. We were showing 997 out of 1000 recursive clients which is no surprise but the loss of local resolution effected our telephone system which is migrating over to VOIP + any other lookups a client might do that at least in theory should still work because they are making queries for hosts in our master zones. I have been here for a bit over 20 years and we have lost all connectivity only a very few times, but I had actually begun to think that newer versions of bind would still provide local resolution. The systems running the master and slave DNS's continued to run as they have plenty of resources, but there was no local resolution. Is there anything short of internal and external-facing DNS's that we can do to be sure that local resolution stays up? Thank you very much. Martin McCormick Stillwater, OK Systems Engineer OSU Information Technology Department Telecommunications Services Group ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Local Lookups Fail When the Net is down.
In message 201212202013.qbkkdksi002...@x.it.okstate.edu, Martin McCormick writes: We are using BIND 9.7.7 with recursion. Our boarder router temporarily failed completely isolating our campus from the rest of the internet. During that time, it was impossible to do local lookups. We were showing 997 out of 1000 recursive clients which is no surprise but the loss of local resolution effected our telephone system which is migrating over to VOIP + any other lookups a client might do that at least in theory should still work because they are making queries for hosts in our master zones. I have been here for a bit over 20 years and we have lost all connectivity only a very few times, but I had actually begun to think that newer versions of bind would still provide local resolution. The systems running the master and slave DNS's continued to run as they have plenty of resources, but there was no local resolution. Is there anything short of internal and external-facing DNS's that we can do to be sure that local resolution stays up? You need to look at search lists and make sure there are no external dependancies. If you have partially qualified names being used you may be depending apon a NXDOMAIN from the root. A local copy of the root zone will help here. If you do recursion internally you will need to increase the number of recursive clients. If you are validating you will want to distribute trust anchors for internal namespace. If you are using DLV you will want a internal copy of the dlv zone. Thank you very much. Martin McCormick Stillwater, OK Systems Engineer OSU Information Technology Department Telecommunications Services Group ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IPSECKEY RRs?
Corrected encoding of large exponent and read from stdin. use MIME::Base64; print exponent: ; $exponent = ; print mantisa: ; $mantisa = ; # strip white space $exponent =~ s/\s//g; $mantisa =~ s/\s//g; #convert to binary $exponent = pack(H*, $exponent); $mantisa = pack(H*, $mantisa); $data = ''; if (length($exponent) 256) { $data .= pack(C, length($exponent)); } elsif (length($exponent) 0x) { $data .= pack(CCn, 0, 2, length($exponent)); } elsif (length($exponent) 0xff) { $data .= pack(CCn, 0, 3, length($exponent)); } else { $data .= pack(CCn, 0, 4, length($exponent)); } $data .= $exponent; $data .= $mantisa; print encode_base64($data).\n; -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users